NoteCommit

Message decomposition

$SinsemillaCommit$ is used in the $NoteCommit$ function. The input to $SinsemillaCommit$ is:

$g ⋆_{d} ∣∣ pk ⋆_{d} ∣∣ I2LEBSP_{64} (v) ∣∣ I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) ∣∣ I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ),$

where:

$g ⋆_{d}, pk ⋆_{d}$ are representations of Pallas curve points, with $255$ bits used for the $x$ -coordinate and $1$ bit used for the $y$ -coordinate.
$ρ, ψ$ are Pallas base field elements.
$v$ is a $64$ -bit value.
$ℓ_{base}^{Orchard p} = 255.$

Sinsemilla operates on multiples of 10 bits, so we start by decomposing the message into chunks:

$g ⋆_{d} pk ⋆_{d} I2LEBSP_{64} (v) I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) = a ∣∣ b_{0} ∣∣ b_{1} ∣∣ b_{2} = (bits 0..=249 of x (g_{d})) ∣∣ (bits 250..=253 of x (g_{d})) ∣∣ (bit 254 of x (g_{d})) ∣∣ (y bit of g_{d}) = b_{3} ∣∣ c ∣∣ d_{0} ∣∣ d_{1} = (bits 0..=3 of x (p k_{d})) ∣∣ (bits 4..=253 of x (p k_{d})) ∣∣ (bit 254 of x (p k_{d})) ∣∣ (y bit of p k_{d}) = d_{2} ∣∣ d_{3} ∣∣ e_{0} = (bits 0..=7 of v) ∣∣ (bits 8..=57 of v) ∣∣ (bits 58..=63 of v) = e_{1} ∣∣ f ∣∣ g_{0} = (bits 0..=3 of ρ) ∣∣ (bits 4..=253 of ρ) ∣∣ (bit 254 of ρ) = g_{1} ∣∣ g_{2} ∣∣ h_{0} ∣∣ h_{1} = (bits 0..=8 of ψ) ∣∣ (bits 9..=248 of ψ) ∣∣ (bits 249..=253 of ψ) ∣∣ (bit 254 of ψ)$

Then we recompose the chunks into message pieces:

$Length (bits) 25010250601025025010 Piece a b = b_{0} ∣∣ b_{1} ∣∣ b_{2} ∣∣ b_{3} c d = d_{0} ∣∣ d_{1} ∣∣ d_{2} ∣∣ d_{3} e = e_{0} ∣∣ e_{1} f g = g_{0} ∣∣ g_{1} ∣∣ g_{2} h = h_{0} ∣∣ h_{1} ∣∣ h_{2}$

where $h_{2}$ is 4 zero bits (corresponding to the padding applied by the Sinsemilla $pad$ function).

Each message piece is constrained by $SinsemillaHash$ to its stated length. Additionally:

$g_{d}$ and $p k_{d}$ are witnessed and checked to be valid elliptic curve points.
$v$ is witnessed as a field element, but its decomposition is sufficient to constrain it to be a 64-bit value.
$ρ$ and $ψ$ are witnessed as field elements, so we know they are canonical.

However, we need additional constraints to enforce that:

The chunks are the correct bit lengths (or else they could overlap in the decompositions and allow the prover to witness an arbitrary $SinsemillaCommit$ message).
The chunks contain the canonical decompositions of $g_{d}$ , $p k_{d}$ , $ρ$ , and $ψ$ (or else the prover could witness multiple equivalent inputs to $SinsemillaCommit$ ).

Some of these constraints are implemented with a reusable circuit gadget, $short_lookup_range_check ()$ . We define custom gates for the remainder. Since these gates use simple boolean selectors activated on different rows, their selectors are eligible for combining, reducing the overall proof size.

Message piece decomposition

We check the decomposition of each message piece in its own region. There is no need to check the whole pieces:

$a$ ( $250$ bits) is witnessed and constrained outside the gate;
$c$ ( $250$ bits) is witnessed and constrained outside the gate;
$f$ ( $250$ bits) is witnessed and constrained outside the gate;

The following helper gates are defined:

$bool_check (x) = x \cdot (1 - x)$ .
$short_lookup_range_check ()$ is a short lookup range check.

$b = b_{0} ∣∣ b_{1} ∣∣ b_{2} ∣∣ b_{3}$

$b$ has been constrained to be $10$ bits by the Sinsemilla hash.

Region layout

$A_{6} b A_{7} b_{0} b_{2} A_{8} b_{1} b_{3} q_{NoteCommit, b} 10$

Constraints

$Degree 332 Constraint q_{NoteCommit, b} \cdot bool_check (b_{1}) = 0 q_{NoteCommit, b} \cdot bool_check (b_{2}) = 0 q_{NoteCommit, b} \cdot (b - (b_{0} + b_{1} \cdot 2^{4} + b_{2} \cdot 2^{5} + b_{3} \cdot 2^{6})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (b_{0}, 4)$
$short_lookup_range_check (b_{3}, 4)$

$d = d_{0} ∣∣ d_{1} ∣∣ d_{2} ∣∣ d_{3}$

$d$ has been constrained to be $60$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} d A_{7} d_{0} d_{2} A_{8} d_{1} d_{3} q_{NoteCommit, d} 10$

Constraints

$Degree 332 Constraint q_{NoteCommit, d} \cdot bool_check (d_{0}) = 0 q_{NoteCommit, d} \cdot bool_check (d_{1}) = 0 q_{NoteCommit, d} \cdot (d - (d_{0} + d_{1} \cdot 2 + d_{2} \cdot 2^{2} + d_{3} \cdot 2^{10})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (d_{2}, 8)$
$d_{3}$ is equality-constrained to $z_{d, 1}$ , where the latter is the index-1 running sum output of $SinsemillaHash (d),$ constrained by the hash to be $50$ bits.

$e = e_{0} ∣∣ e_{1}$

$e$ has been constrained to be $10$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} e A_{7} e_{0} A_{8} e_{1} q_{NoteCommit, e} 1$

Constraints

$Degree 2 Constraint q_{NoteCommit, e} \cdot (e - (e_{0} + e_{1} \cdot 2^{6})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (e_{0}, 6)$
$short_lookup_range_check (e_{1}, 4)$

$g = g_{0} ∣∣ g_{1} ∣∣ g_{2}$

$g$ has been constrained to be $250$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} g g_{1} A_{7} g_{0} g_{2} q_{NoteCommit, g} 10$

Constraints

$Degree 32 Constraint q_{NoteCommit, g} \cdot bool_check (g_{0}) = 0 q_{NoteCommit, g} \cdot (g - (g_{0} + g_{1} \cdot 2 + g_{2} \cdot 2^{10})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (g_{1}, 9)$
$g_{2}$ is equality-constrained to $z_{g, 1}$ , where the latter is the index-1 running sum output of $SinsemillaHash (g),$ constrained by the hash to be 240 bits.

$h = h_{0} ∣∣ h_{1} ∣∣ h_{2}$

$h$ has been constrained to be $10$ bits by the $SinsemillaHash$ .

Region layout

$A_{6} h A_{7} h_{0} A_{8} h_{1} q_{NoteCommit, h} 1$

Constraints

$Degree 32 Constraint q_{NoteCommit, h} \cdot bool_check (h_{1}) = 0 q_{NoteCommit, h} \cdot (h - (h_{0} + h_{1} \cdot 2^{5})) = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (h_{0}, 5)$

Field element checks

All message pieces and subpieces have been range-constrained by the earlier decomposition gates. They are now used to:

constrain each field element $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (g_{d}))$ , $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (p k_{d}))$ , $I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ)$ , and $I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ)$ to be 255-bit values, with top bits $b_{1}$ , $d_{0}$ , $g_{0}$ , and $h_{1}$ respectively.
constrain $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (g_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (x (p k_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) = x (g_{d}) (mod q_{P}) = x (p k_{d}) (mod q_{P}) = ρ (mod q_{P}) = ψ (mod q_{P})$ where $q_{P}$ is the Pallas base field modulus.
check that these are indeed canonically-encoded field elements, i.e. $I2LEBSP_{ℓ_{base}^{Orchard p}} (x (g_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (x (p k_{d})) I2LEBSP_{ℓ_{base}^{Orchard p}} (ρ) I2LEBSP_{ℓ_{base}^{Orchard p}} (ψ) < q_{P} < q_{P} < q_{P} < q_{P}$

The Pallas base field modulus has the form $q_{P} = 2^{254} + t_{P}$ , where $t_{P} = 0x224698fc094cf91b992d30ed00000001$ is 126 bits. We therefore know that if the top bit is not set, then the remaining bits will always comprise a canonical encoding of a field element. Thus the canonicity checks below are enforced if and only if the corresponding top bit is set to 1.

In the constraints below we use a base- $2^{10}$ variant of the method used in libsnark (originally from [SVPBABW2012, Appendix C.1]) for range constraints $0 \leq x < t$ :

Let $t^{'}$ be the smallest power of $2^{10}$ greater than $t$ .

Enforce $0 \leq x < t^{'}$ .

Let $x^{'} = x + t^{'} - t$ .

Enforce $0 \leq x^{'} < t^{'}$ .

$x (g_{d})$ with $b_{1} = 1 ⟹ x (g_{d}) \geq 2^{254}$

Recall that $x (g_{d}) = a + 2^{250} \cdot b_{0} + 2^{254} \cdot b_{1}$ . When the top bit $b_{1}$ is set, we check that $x (g_{d})_{0.. = 253} < t_{P}$ :

$b_{1} = 1 ⟹ b_{0} = 0.$

Since $b_{1} = 1 ⟹ x (g_{d})_{0.. = 253} < t_{P} < 2^{126},$ we know that $x (g_{d})_{126.. = 253} = 0,$ and in particular $b_{0} := x (g_{d})_{250.. = 253} = 0.$
$b_{1} = 1 ⟹ 0 \leq a < t_{P} .$

To check that $a < t_{P}$ , we use two constraints:

a) $0 \leq a < 2^{130}$ . This is expressed in the custom gate as $b_{1} \cdot z_{a, 13} = 0,$ where $z_{a, 13}$ is the index-13 running sum output by $SinsemillaHash (a) .$

b) $0 \leq a + 2^{130} - t_{P} < 2^{130}$ . To check this, we decompose $a^{'} = a + 2^{130} - t_{P}$ into thirteen 10-bit words (little-endian) using a running sum $z_{a^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $b_{1} \cdot z_{a^{'}, 13} = 0.$

Region layout

$A_{6} x (g_{d}) A_{7} b_{0} b_{1} A_{8} a a^{'} A_{9} z_{a, 13} z_{a^{'}, 13} q_{NoteCommit, x (g_{d})} 10$

Constraints

$Degree 23323 Constraint q_{NoteCommit, x (g_{d})} \cdot (a + b_{0} \cdot 2^{250} + b_{1} \cdot 2^{254} - x (g_{d})) = 0 q_{NoteCommit, x (g_{d})} \cdot b_{1} \cdot b_{0} = 0 q_{NoteCommit, x (g_{d})} \cdot b_{1} \cdot z_{a, 13} = 0 q_{NoteCommit, x (g_{d})} \cdot (a + 2^{130} - t_{P} - a^{'}) = 0 q_{NoteCommit, x (g_{d})} \cdot b_{1} \cdot z_{a^{'}, 13} = 0$

$x (p k_{d})$ with $d_{0} = 1 ⟹ x (p k_{d}) \geq 2^{254}$

Recall that $x (p k_{d}) = b_{3} + 2^{4} \cdot c + 2^{254} \cdot d_{0}$ . When the top bit $d_{0}$ is set, we check that $x (p k_{d})_{0.. = 253} < t_{P}$ :

$d_{0} = 1 ⟹ 0 \leq b_{3} + 2^{4} \cdot c < t_{P} .$

To check that $0 \leq b_{3} + 2^{4} \cdot c < t_{P},$ we use two constraints:

a) $0 \leq b_{3} + 2^{4} \cdot c < 2^{140} .$ $b_{3}$ is already constrained individually to be a $4$ -bit value. $z_{c, 13}$ is the index-13 running sum output by $SinsemillaHash (c) .$ By constraining $d_{0} \cdot z_{c, 13} = 0,$ we constrain $b_{3} + 2^{4} \cdot c < 2^{134} < 2^{140} .$

b) $0 \leq b_{3} + 2^{4} \cdot c + 2^{140} - t_{P} < 2^{140}$ . To check this, we decompose $b_{3} c^{'} = b_{3} + 2^{4} \cdot c + 2^{140} - t_{P}$ into fourteen 10-bit words (little-endian) using a running sum $z_{b_{3} c^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $d_{0} \cdot z_{b_{3} c^{'}, 14} = 0.$

Region layout

$A_{6} x (p k_{d}) A_{7} b_{3} d_{0} A_{8} c b_{3} c^{'} A_{9} z_{c, 13} z_{b_{3} c^{'}, 14} q_{NoteCommit, x (p k_{d})} 10$

Constraints

$Degree 2323 Constraint q_{NoteCommit, x (p k_{d})} \cdot (b_{3} + c \cdot 2^{4} + d_{0} \cdot 2^{254} - x (p k_{d})) = 0 q_{NoteCommit, x (p k_{d})} \cdot d_{0} \cdot z_{c, 13} = 0 q_{NoteCommit, x (p k_{d})} \cdot (b_{3} + c \cdot 2^{4} + 2^{140} - t_{P} - b_{3} c^{'}) = 0 q_{NoteCommit, x (p k_{d})} \cdot d_{0} \cdot z_{b_{3} c^{'}, 14} = 0$

$v = d_{2} + 2^{8} \cdot d_{3} + 2^{58} \cdot e_{0}$

Region layout

$A_{6} v a l u e A_{7} d_{2} A_{8} d_{3} A_{9} e_{0} q_{NoteCommit, v a l u e} 1$

Constraints

$Degree 2 Constraint q_{NoteCommit, v a l u e} \cdot (d_{2} + d_{3} \cdot 2^{8} + e_{0} \cdot 2^{58} - value) = 0$

$ρ$ with $g_{0} = 1 ⟹ ρ \geq 2^{254}$

Recall that $ρ = e_{1} + 2^{4} \cdot f + 2^{254} \cdot g_{0}$ . When the top bit $g_{0}$ is set, we check that $ρ_{0.. = 253} < t_{P}$ :

$g_{0} = 1 ⟹ 0 \leq e_{1} + 2^{4} \cdot f < t_{P} .$

To check that $0 \leq e_{1} + 2^{4} \cdot f < t_{P},$ we use two constraints:

a) $0 \leq e_{1} + 2^{4} \cdot f < 2^{140} .$ $e_{1}$ is already constrained individually to be a $4$ -bit value. $z_{f, 13}$ is the index-13 running sum output by $SinsemillaHash (f) .$ By constraining $g_{0} \cdot z_{f, 13} = 0,$ we constrain $e_{1} + 2^{4} \cdot f < 2^{134} < 2^{140} .$

b) $0 \leq e_{1} + 2^{4} \cdot f + 2^{140} - t_{P} < 2^{140}$ . To check this, we decompose $e_{1} f^{'} = e_{1} + 2^{4} \cdot f + 2^{140} - t_{P}$ into fourteen 10-bit words (little-endian) using a running sum $z_{e_{1} f^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $g_{0} \cdot z_{e_{1} f^{'}, 14} = 0.$

Region layout

$A_{6} ρ A_{7} e_{1} g_{0} A_{8} f e_{1} f^{'} A_{9} z_{f, 13} z_{e_{1} f^{'}, 14} q_{NoteCommit, ρ} 10$

Constraints

$Degree 2323 Constraint q_{NoteCommit, ρ} \cdot (e_{1} + f \cdot 2^{4} + g_{0} \cdot 2^{254} - ρ) = 0 q_{NoteCommit, ρ} \cdot g_{0} \cdot z_{f, 13} = 0 q_{NoteCommit, ρ} \cdot (e_{1} + f \cdot 2^{4} + 2^{140} - t_{P} - e_{1} f^{'}) = 0 q_{NoteCommit, ρ} \cdot g_{0} \cdot z_{e_{1} f^{'}, 14} = 0$

$ψ$ with $h_{1} = 1 ⟹ ψ \geq 2^{254}$

Recall that $ψ = g_{1} + 2^{9} \cdot g_{2} + 2^{249} \cdot h_{0} + 2^{254} \cdot h_{1}$ . When the top bit $h_{1}$ is set, we check that $ψ_{0.. = 253} < t_{P}$ :

$h_{1} = 1 ⟹ h_{0} = 0.$

Since $h_{1} = 1 ⟹ ψ_{0.. = 253} < t_{P} < 2^{126},$ we know that $ψ_{126.. = 253} = 0,$ and in particular $h_{0} := ψ_{249.. = 253} = 0.$
$h_{1} = 1 ⟹ 0 \leq g_{1} + 2^{9} \cdot g_{2} < t_{P} .$

To check that $0 \leq g_{1} + 2^{9} \cdot g_{2} < t_{P},$ we use two constraints:

a) $0 \leq g_{1} + 2^{9} \cdot g_{2} < 2^{140} .$ $g_{1}$ is already constrained individually to be a $9$ -bit value. $z_{g, 13}$ is the index-13 running sum output by $SinsemillaHash (g) .$ By constraining $h_{1} \cdot z_{g, 13} = 0,$ we constrain $g_{1} + 2^{9} \cdot g_{2} < 2^{129} < 2^{130} .$

b) $0 \leq g_{1} + 2^{9} \cdot g_{2} + 2^{130} - t_{P} < 2^{130}$ . To check this, we decompose $g_{1} g_{2}^{'} = g_{1} + 2^{9} \cdot g_{2} + 2^{130} - t_{P}$ into thirteen 10-bit words (little-endian) using a running sum $z_{g_{1} g_{2}^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $h_{1} \cdot z_{g_{1} g_{2}^{'}, 13} = 0.$

Region layout

$A_{6} ψ h_{0} A_{7} g_{1} h_{1} A_{8} g_{2} g_{1} g_{2}^{'} A_{9} z_{g, 13} z_{g_{1} g_{2}^{'}, 13} q_{NoteCommit, ψ} 10$

Constraints

$Degree 23323 Constraint q_{NoteCommit, ψ} \cdot (g_{1} + g_{2} \cdot 2^{9} + h_{0} \cdot 2^{249} + h_{1} \cdot 2^{254} - ψ) = 0 q_{NoteCommit, ψ} \cdot h_{1} \cdot h_{0} = 0 q_{NoteCommit, ψ} \cdot h_{1} \cdot z_{g, 13} = 0 q_{NoteCommit, ψ} \cdot (g_{1} + g_{2} \cdot 2^{9} + 2^{130} - t_{P} - g_{1} g_{2}^{'}) = 0 q_{NoteCommit, ψ} \cdot h_{1} \cdot z_{g_{1} g_{2}^{'}, 13} = 0$

$y$ -coordinate checks

Note that only the $y$ LSB of the $y$ -coordinates $y (g_{d}), y (p k_{d})$ was input to the hash, while the other bits of the $y$ -coordinate were unused. However, we must still check that the witnessed $y$ bit matches the original point's $y$ -coordinate. The checks for $y (g_{d}), y (p k_{d})$ will follow the same format. For each $y$ -coordinate, we witness:

$y = LSB ∣∣ k_{0} ∣∣ k_{1} ∣∣ k_{2} ∣∣ k_{3} = LSB ∣∣ (bits 1.. = 9 of y) ∣∣ (bits 10.. = 249 of y) ∣∣ (bits 250.. = 253 of y) ∣∣ (bit 254 of y),$

where $LSB$ is $b_{2}$ for $y (g_{d})$ , and $d_{1}$ for $y (p k_{d})$ . Let $j = LSB + 2 \cdot k_{0} + 2^{10} \cdot k_{1} .$ We decompose $j$ to be $250$ bits using a strict $25 -$ word ten-bit lookup. The running sum outputs allow us to susbstitute $k_{1} = z_{j, 1} .$

Recall that $b_{2} = y (g_{d})$ and $d_{1} = y (p k_{d})$ were pieces input to the Sinsemilla hash and have already been boolean-constrained. $k_{0}$ and $k_{2}$ are constrained outside this gate to $9$ and $4$ bits respectively. To constrain the remaining chunks, we use the following constraints:

$Degree 3 Constraint q_{NoteCommit, y} \cdot bool_check (k_{3}) = 0$

Then, to check that the decomposition was correct: $Degree 22 Constraint q_{NoteCommit, y} \cdot (j - (LSB + k_{0} \cdot 2 + k_{1} \cdot 2^{10})) = 0 q_{NoteCommit, y} \cdot (y - (j + k_{2} \cdot 2^{250} + k_{3} \cdot 2^{254})) = 0$

$y (g_{d})$ with $k_{3} = 1 ⟹ y (g_{d}) \geq 2^{254}$

In these cases, we check that $y (g_{d})_{0.. = 253} < t_{P}$ :

$k_{3} = 1 ⟹ k_{2} = 0.$

Since $k_{3} = 1 ⟹ y (g_{d})_{0.. = 253} < t_{P} < 2^{126},$ we know that $y (g_{d})_{126.. = 253} = 0,$ and in particular $k_{2} := y (g_{d})_{250.. = 253} = 0.$
$k_{3} = 1 ⟹ 0 \leq j < t_{P} .$

To check that $j < t_{P}$ , we use two constraints:

a) $0 \leq j < 2^{130}$ . This is expressed in the custom gate as $k_{3} \cdot z_{j, 13} = 0,$ where $z_{j, 13}$ is the index-13 running sum output by the $10$ -bit lookup decomposition of $j$ .

b) $0 \leq j + 2^{130} - t_{P} < 2^{130}$ . To check this, we decompose $j^{'} = j + 2^{130} - t_{P}$ into thirteen 10-bit words (little-endian) using a running sum $z_{j^{'}}$ , looking up each word in a $10$ -bit lookup table. We then enforce in the custom gate that $k_{3} \cdot z_{j^{'}, 13} = 0.$

Region layout

$A_{5} y j A_{6} \tilde{y} k_{1} A_{7} k_{0} z_{j, 13} A_{8} k_{2} j^{'} A_{9} k_{3} z_{j^{'}, 13} q_{NoteCommit, y} 10$

Constraints

$Degree 3323 Constraint q_{NoteCommit, y} \cdot k_{3} \cdot k_{2} = 0 q_{NoteCommit, y} \cdot k_{3} \cdot z_{j, 13} = 0 q_{NoteCommit, y} \cdot (j + 2^{130} - t_{P} - j^{'}) = 0 q_{NoteCommit, y} \cdot k_{3} \cdot z_{j^{'}, 13} = 0$

Outside this gate, we have constrained:

$short_lookup_range_check (k_{0}, 9)$
$short_lookup_range_check (k_{2}, 4)$

$y (p k_{d})$

This can be checked in exactly the same way as $y (g_{d})$ , with $b_{2}$ replaced by $d_{1}$ .

The Orchard Book